Legal basis according to GDPR: Concretisation in foxondo

Improvements to the legal basis question in foxondo

We have improved foxondo questions for you! In the data protection context, the question about the legal basis for processing personal data can be answered with even more precision

To make it easier for you to understand why we did this, we would like to take a closer look at the topic of legal basis here.

Ground rule Nr. 1: Nothing happens without Art. 6 of the GDPR!

If you want to process personal data, you absolutely must have a legal basis from Art. 6 GDPR for each process. These are:

• Consent from the data subject

• Performance of a contract or pre-contractual measures to which the data subject is party

• Compliance with legal obligations (e.g. based on a law, regulation)

• Protection of the data subject’s vital interests

• Public interest or the exercise of official authority

• Legitimate interests of the controller or a third party (after a legitimate interest assessment)

Do you process sensitive data?
Then Article 9 GDPR is also relevant!

Are you processing special categories of personal data such as health data or trade union membership?

Then, in addition to a legal basis from Article 6 of the GDPR, you also need a legal basis from Article 9 GDPR. This might be:

• Regulations in the field of employment and social security and social protection law

• Processing of data which the data subject has manifestly made public

• Processing data for the establishment, exercise, or defense of legal claims

• Processing data for the purposes of preventative or occupational medicine

Do you process data related to criminal convictions or offences?
Art. 10 GDPR sets strict limits!

Do you want to process data on criminal convictions or offenses? In this scenario as well, Art. 6 GDPR alone is not sufficient. You need an additional special legal basis (in particular from national law). Without this, the processing is not permitted!

Here is an example: In the application process, a company wants to check the criminal records of applicants. Even if an employer may have a legitimate interest in hiring someone with no criminal record, this is generally not permissible.

But there are exceptions to this: depending on the specific area of responsibility, questions about criminal records relating to property (e.g. in the financial sector), politics (e.g. in the area of the protection of the constitution) or traffic violations (as in the case of professional drivers) may be asked.

And what have we improved in foxondo?

Where Art. 6, 9 and 10 GDPR were previously summarized into one question in foxondo there is now an individual question per relevant GDPR article.

The European Court of Justice has clarified that the legal bases must be applied all together rather than on or the other. The new structure takes this into account, ensuring that the company will always document a legal basis as per Art. 6 GDPR and can then apply the other legal bases where applicable.

Of course, you will be guided through this topic as usual without needing to know all behind-the-scenes details.

How does this affect your previous documentation?

Don't worry, we have automatically restructured the answers you have already provided! Nothing has been lost.

However, if you had previously only documented legal bases as per Art. 9 or 10, you will now notice that the legal basis per Art. 6 is still missing for this processing.

Therefore, we kindly ask you to check the legal basis for your processing activities or have your DPO check them.

Tip: The quickest way to find the questions about legal bases in foxondo is to filter for the tag “legal basis”.